Last week someone responded to an article entitled “Why do Chief Security Officers Leave Their Job So Often” in this response, the individual said something that is still resonating with me. It was a quite simple statement, but I fully related with it when I thought about all of my friends who are CISO’s, Former CISO’s or Heads of Security. The statement was … Business Leadership usually values people who bring “The Good Things” over people who “Stop the Bad Things”. Now I know that is a simple statement, but something about it is so profound to me, in that it so accurately describes the internal battles that Security Professionals fight every day. When I think about a CISO talking to business leadership, I often imagine Jerry Maguire begging Rod Tidwell by saying “Help Me Help You … Help Me Help You”.
To most CEOs and Boards, “the good things” are Revenue, Profit, and Earnings. When Security Professionals request funding to buy more and more security tools and organizations still end up experiencing a breach, leadership may see this as equivalent to the salesperson that constantly misses his or her number or quota. The difference is that for a CISO, zero breaches, and no security risks are equivalent to giving an unreasonable quota to a salesperson. So it’s no surprise that a significant breach or similar event is often the demise of the CISO. Management feels justified … “we gave this individual a large budget for security, and we still got owned”.
Alternatively, I believe that Cyber Risk and Threat Potential are better ways to measure and communicate up the chain. A day in the security organization could be measured by what risk was reduced and/or how many potential threats were eliminated. The focus moves to the highest priority risks and threats, the ones that could impact systems deemed most critical to “Revenue, Profit, and Earnings” (The Good Things!). Specifically, leadership could see which potential avenues of attack were identified and removed, specifically as it relates to the systems and assets that are most important to them and presumably the business. While the new potential for successful attacks will likely never stop showing up, security teams can show business leadership a steady decrease in the overall Attack Potential, which provides a great metric for the business to understand that they are getting their return on investment when it comes to Cyber Security. With a good communication plan and measurement system, security teams can be rewarded for their quantifiable contribution to these critical metrics vs. held accountable for meeting unachievable expectations.